Aaron Swartz, who faced as many as 35 years in prison under hacking charges and killed himself last week.

If any good comes out of the tragic suicide of brilliant programmer Aaron Swartz, it may be a new political will to reform the the bluntly crafted hacking laws that allowed prosecutors to threaten the 26-year-old activist with decades in prison. But an "Aaron's Law" that's already been proposed to make those reforms may need serious tweaking if it's going to prevent the next overzealous hacker crackdown.

On Tuesday night California Congresswoman Zoe Lofgren posted on the social news site Reddit a proposal for an amendment that would reshape the Computer Fraud and Abuse Act and the wire fraud statute, specifically changing the laws to legalize violating an online service's user agreement or terms of service. "We should prevent what happened to Aaron from happening to other Internet users," Lofgren wrote. "Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties."

Lofgren's proposal won quick approval from the site's users, and even a note from copyright lawyer and Swartz supporter Lawrence Lessig. "This is a CRITICALLY important change that would do incredible good," Lessig wrote. "The CFAA was the hook for the government's bullying of [Aaron.] This law would remove that hook. In a single line: no longer would it be a felony to breach a contract. Let's get this done for Aaron — now."

But Marcia Hofmann, a hacker-focused attorney with the Electronic Frontier Foundation, says that Lofgren's one-page draft of "Aaron's Law" isn't enough to fix the CFAA--and likely wouldn't have even been enough to protect Swartz himself. "It's a great first step," says Hoffman. "But if it’s trying to make sure what happened to Aaron can’t happen to someone else, it needs to do more."

When Swartz wrote a program that had his Acer laptop automatically download millions of academic papers from the restricted website JSTOR, after all, he ended up doing more than merely violating MIT's and JSTOR's terms of service, Hofmann points out. When registering an account with MIT that gave him initial access to the JSTOR documents, he used a pseudonym, "Gary Host." And when MIT administrators noticed his computer downloading massive numbers of documents, they attempted to block his connection based on its IP and MAC addresses, measures that Swartz circumvented.

The larger issue, Hofmann says, is the definition of "unauthorized" access in the CFAA, which is defined more vaguely than merely access that violates a site's terms of service. Regardless of JSTOR's or MIT's terms of service, Swartz's access became "unauthorized" in prosecutors' view simply because a few administrators didn't like what he was doing and attempted to stop him. "Aaron was authorized to access JSTOR's data, and to read papers one by one," says Hofmann. "It was the access controls put in place after he set up a script to access them faster that made his access 'unauthorized.'"

And Hofmann points out that skirting an IP or MAC address ban doesn't even rise to the level of cracking a password in terms of demonstrating unauthorized access. "That’s not a lock. That’s a speedbump," she says. "If you drive around a speedbump instead of over it, is that illegal?"

Tor Ekeland, a lawyer for convicted hacker Andrew Auernheimer, a.k.a Weev, also weighed in on the Reddit thread discussing Lofgren's proposed amendment. Ekeland knows something about messy definitions of unauthorized access: His client Auernheimer was found guilty in November of conspiracy to access a computer without authorization when he and a friend ran a script to collect 114,000 iPad users' email addresses, which AT&T had left accessible on a public site. Despite reveling in private communications about hurting AT&T's stock price, Auernheimer never published or profited from the data, and didn't even circumvent any security measures to access it.

"Unauthorized access is nowhere defined in the [CFAA] and the case law is hopelessly confused on this point," wrote Ekeland. "This leaves prosecutors myriad ways to argue unauthorized access: because they say so, or JSTOR or MIT says so despite their TOS, or because a fiduciary duty was violated, or because someone's grandmother said so."

The dangerously vague definition of "unauthorized" isn't the CFAA's only pitfall. The EFF's Hofmann notes that any reform to the CFAA should also address the difference between data theft for profit versus a more benign hack like Swartz's that had no such motive. Swartz was hit with felony charges because the data he stole was deemed worth more than $5,000. But that calculus was based on JSTOR's estimates alone--Swartz never intended to sell the collection of documents.

"He wasn’t stealing this information to sell trade secrets or sell credit histories. This was an act of civil disobedience," says Hofmann. "There needs to be a safety valve in the law that at least recognizes that."

Ekeland suggests in his Reddit comments that such cases of data theft should be settled with civil cases rather than criminal law--a notion that would likely have saved Swartz from prosecution given that JSTOR had dropped the case. "Why not reserve criminal sanctions for the cases where its truly merited, where a significant and real harm occurred?" Ekeland writes.

To be fair, Lofgren hasn't yet even introduced her "Aaron's Law" proposal to the House. Her Reddit post merely solicited comments on the amendment before she considers developing it further and pushing for its adoption. But judging by the immediate reaction of lawyers who have defended cases involving the CFAA, Lofgren's short amendment only scratches the surface of the issue.

"The [CFAA] is a prosecutor's wet dream and a defendant's nightmare," concludes Ekeland. "Amending the definition of unauthorized access to exclude [terms of service] violations is just putting a band aid on a gaping, gushing wound."